Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
8.2-milestone-2, 7.4.4
Description
Steps to reproduce:
- As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content
{{groovy}}println("Hello " + "from Groovy!"){{/groovy}}
- Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
- View the document
Expected result:
An error is displayed that the user cannot execute the Groovy macro.
Actual result:
Below "Entries", the text "Hello from Groovy!" is displayed, showing that the Groovy macro has been executed.
This demonstrates remote code execution and privilege escalation from a simple user account with only edit rights on the own profile.
The reason for this is that AppWithinMinutes.LiveTableViewSheet uses a hack for including the document's content that aims to securely include the document's content to work around XWIKI-5027 but after fixing XWIKI-5477, this hack is no longer secure but executes the document's content with the sheet's rights. This is also where the affects version comes from.